For example I don't see Firefox Nightly nor Safari iOS having Encrypt-then-MAC (while curl does), and (my) Firefox Nightly has PQ support, while iOS has certificate compression support. Might also be interesting to check for those on the server side (in the Server hello) for the website TLS and email STARTTLS check.
Not sure if it would fit the connection test, since it's browser based. And of course it would be nice to replicate the JSON API as open source. It could be done by using nginx in the Preread phase by decoding the Client hello with js_preread, looks like the read-tls-client-hello package would then be a good match (although the ts needs to be transpiled for njs).
In the desire to debug the TLS Client Hello I came across https://browserleaks.com/tls, which has a nice JSON API: https://tls.browserleaks.com/tls which will show all cipher suites (e.g. PQ RFC draft - X25519Kyber768Draft00 support) and extensions (e.g. RFC 3546 - SNI, RFC draft - NPN, RFC 7301 - ALPN, RFC 7366 - Encrypt-then-MAC, RFC draft - ECH, RFC 8879 - certificate compression, without the need to spin up Wireshark.
For example I don't see Firefox Nightly nor Safari iOS having Encrypt-then-MAC (while curl does), and (my) Firefox Nightly has PQ support, while iOS has certificate compression support. Might also be interesting to check for those on the server side (in the Server hello) for the website TLS and email STARTTLS check.
Not sure if it would fit the connection test, since it's browser based. And of course it would be nice to replicate the JSON API as open source. It could be done by using nginx in the Preread phase by decoding the Client hello with js_preread, looks like the read-tls-client-hello package would then be a good match (although the ts needs to be transpiled for njs).